WO2023142097A1 - Sécurité de relais d'équipement utilisateur à réseau pour des services basés sur la proximité - Google Patents

Sécurité de relais d'équipement utilisateur à réseau pour des services basés sur la proximité Download PDF

Info

Publication number
WO2023142097A1
WO2023142097A1 PCT/CN2022/075148 CN2022075148W WO2023142097A1 WO 2023142097 A1 WO2023142097 A1 WO 2023142097A1 CN 2022075148 W CN2022075148 W CN 2022075148W WO 2023142097 A1 WO2023142097 A1 WO 2023142097A1
Authority
WO
WIPO (PCT)
Prior art keywords
ausf
relay
wireless communication
communication device
authentication
Prior art date
Application number
PCT/CN2022/075148
Other languages
English (en)
Inventor
Yuze LIU
Shilin You
Jin Peng
Zhen XING
Zhaoji Lin
Original Assignee
Zte Corporation
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zte Corporation filed Critical Zte Corporation
Priority to CA3236441A priority Critical patent/CA3236441A1/fr
Priority to PCT/CN2022/075148 priority patent/WO2023142097A1/fr
Publication of WO2023142097A1 publication Critical patent/WO2023142097A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/80Wireless

Definitions

  • the disclosure relates generally to wireless communications, including but not limited to systems and methods for authenticating remote wireless communication devices.
  • the standardization organization Third Generation Partnership Project (3GPP) is currently in the process of specifying a new Radio Interface called 5G New Radio (5G NR) as well as a Next Generation Packet Core Network (NG-CN or NGC) .
  • the 5G NR will have three main components: a 5G Access Network (5G-AN) , a 5G Core Network (5GC) , and a User Equipment (UE) .
  • 5G-AN 5G Access Network
  • 5GC 5G Core Network
  • UE User Equipment
  • the elements of the 5GC also called Network Functions, have been simplified with some of them being software based so that they could be adapted according to need.
  • example embodiments disclosed herein are directed to solving the issues relating to one or more of the problems presented in the prior art, as well as providing additional features that will become readily apparent by reference to the following detailed description when taken in conjunction with the accompany drawings.
  • example systems, methods, devices and computer program products are disclosed herein. It is understood, however, that these embodiments are presented by way of example and are not limiting, and it will be apparent to those of ordinary skill in the art who read the present disclosure that various modifications to the disclosed embodiments can be made while remaining within the scope of this disclosure.
  • At least one aspect is directed to a system, a method, an apparatus, or a computer-readable medium for authenticating remote wireless communication devices.
  • An authentication server function may send, to a unified data management (UDM) , a request for authentication vectors (AV) in association with a remote wireless communication device seeking authorization to access a network via a relay wireless communication device.
  • the request may include an indicator to indicate to the UDM to bypass storing information related to the AUSF.
  • the AUSF may receive, from the UDM, the AV in response to the request.
  • the AUSF may initiate authentication of the remote wireless communication device, in response to the information related to the AUSF.
  • the indicator may include at least one of: an identifier of the remote wireless communication device, a subscriber concealed identifier (SUCI) , a subscriber permanent identifier (SUPI) , or a name of the network.
  • the indicator may include a relay service code or other service code, a freshness parameter value, or a default or defined value.
  • At least one aspect is directed to a system, a method, an apparatus, or a computer-readable medium for authenticating remote wireless communication devices.
  • An authentication server function may send, to a unified data management (UDM) , a request for authentication vectors (AV) .
  • the AUSF may initiate authentication of a remote wireless communication device seeking authorization to access a network via a relay wireless communication device.
  • the AUSF may send, to the UDM, a message after completion of the authentication, to indicate to the UDM to bypass storing information related to the AUSF.
  • the AUSF may initiate the authentication of the remote wireless communication device, in response to the information related to the AUSF.
  • the information related to the AUSF may include at least one of: an identifier of the AUSF, or the AV.
  • the AUSF may receive from a relay access and mobility management function (AMF) , an authentication request.
  • the authentication request may include at least one of: an identifier of the remote wireless communication device, a subscriber concealed identifier (SUCI) , a relay service code, a nonce, or a name of the network.
  • SUCI subscriber concealed identifier
  • the relay AMF may not initiate a network access stratum (NAS) security mode command (SMC) procedure with the remote wireless communication device.
  • the relay AMF may not initiate the NAS SMC procedure, based on information comprising at least one of: a relay service code, a remote wireless communication device’s identity, or a subscriber concealed identifier (SUCI) .
  • NAS network access stratum
  • SMC security mode command
  • SUCI subscriber concealed identifier
  • the AUSF may generate a proximity services key.
  • the AUSF may send, to a relay wireless communication device via the relay AMF, an authentication response message comprising the proximity services key.
  • the AUSF may cause the relay AMF to send a relay key response to the relay wireless communication device.
  • the relay AMF may delete information related to the remote wireless communication device.
  • the information related to the relay wireless communication device may include at least one of: non access stratum security context information, an access and mobility management function (AMF) key, the remote wireless communication device’s identity, a subscriber concealed identifier (SUCI) or a subscriber permanent identifier (SUPI) .
  • AMF access and mobility management function
  • SUCI subscriber concealed identifier
  • SUPI subscriber permanent identifier
  • At least one aspect is directed to a system, a method, an apparatus, or a computer-readable medium for authenticating remote wireless communication devices.
  • a unified data management (UDM) may receive, from an authentication server function (AUSF) to, a request for authentication vectors (AV) in association with a remote wireless communication device seeking authorization to access a network via a relay wireless communication device.
  • the request may include an indicator to indicate to the UDM to bypass storing information related to the AUSF.
  • the UDM may send, to the AUSF, the AV in response to the request.
  • At least one aspect is directed to a system, a method, an apparatus, or a computer-readable medium for authenticating remote wireless communication devices.
  • a unified data management (UDM) may receive, from an authentication server function (AUSF) , a request for authentication vectors (AV) .
  • the UDM may cause the AUSF to initiate authentication of a remote wireless communication device seeking authorization to access a network via a relay wireless communication device.
  • the UDM may receive, from the AUSF, a message after completion of the authentication, to indicate to the UDM to bypass storing information related to the AUSF.
  • FIG. 1 illustrates an example cellular communication network in which techniques disclosed herein may be implemented, in accordance with an embodiment of the present disclosure
  • FIG. 2 illustrates a block diagram of an example base station and a user equipment device, in accordance with some embodiments of the present disclosure
  • FIG. 3 illustrates a block diagram of an architecture for accessing network via user equipment (UE) to network relay to authorize UEs in accordance with an illustrative embodiment
  • UE user equipment
  • FIG. 4 illustrates a block diagram of a process of performing a security procedure over a control plane in accordance with an illustrative embodiment
  • FIG. 5 illustrates a block diagram of a process of performing a security procedure over a control plane with an indication to bypass storage in accordance with an illustrative embodiment
  • FIG. 6 illustrates a block diagram of a process of authenticating remote user equipment (UE) in accordance with an illustrative embodiment
  • FIG. 7 illustrates a block diagram of a process of authorizing for subsequent procedures in accordance with an illustrative embodiment
  • FIG. 8 illustrates a function band diagram of a method of authenticating remote wireless communication devices in accordance with an illustrative embodiment.
  • FIG. 1 illustrates an example wireless communication network, and/or system, 100 in which techniques disclosed herein may be implemented, in accordance with an embodiment of the present disclosure.
  • the wireless communication network 100 may be any wireless network, such as a cellular network or a narrowband Internet of things (NB-IoT) network, and is herein referred to as “network 100.
  • NB-IoT narrowband Internet of things
  • Such an example network 100 includes a base station 102 (hereinafter “BS 102” ; also referred to as wireless communication node) and a user equipment device 104 (hereinafter “UE 104” ; also referred to as wireless communication device) that can communicate with each other via a communication link 110 (e.g., a wireless communication channel) , and a cluster of cells 126, 130, 132, 134, 136, 138 and 140 overlaying a geographical area 101.
  • the BS 102 and UE 104 are contained within a respective geographic boundary of cell 126.
  • Each of the other cells 130, 132, 134, 136, 138 and 140 may include at least one base station operating at its allocated bandwidth to provide adequate radio coverage to its intended users.
  • the BS 102 may operate at an allocated channel transmission bandwidth to provide adequate coverage to the UE 104.
  • the BS 102 and the UE 104 may communicate via a downlink radio frame 118, and an uplink radio frame 124 respectively.
  • Each radio frame 118/124 may be further divided into sub-frames 120/127 which may include data symbols 122/128.
  • the BS 102 and UE 104 are described herein as non-limiting examples of “communication nodes, ” generally, which can practice the methods disclosed herein. Such communication nodes may be capable of wireless and/or wired communications, in accordance with various embodiments of the present solution.
  • FIG. 2 illustrates a block diagram of an example wireless communication system 200 for transmitting and receiving wireless communication signals (e.g., OFDM/OFDMA signals) in accordance with some embodiments of the present solution.
  • the system 200 may include components and elements configured to support known or conventional operating features that need not be described in detail herein.
  • system 200 can be used to communicate (e.g., transmit and receive) data symbols in a wireless communication environment such as the wireless communication environment 100 of Figure 1, as described above.
  • the System 200 generally includes a base station 202 (hereinafter “BS 202” ) and a user equipment device 204 (hereinafter “UE 204” ) .
  • the BS 202 includes a BS (base station) transceiver module 210, a BS antenna 212, a BS processor module 214, a BS memory module 216, and a network communication module 218, each module being coupled and interconnected with one another as necessary via a data communication bus 220.
  • the UE 204 includes a UE (user equipment) transceiver module 230, a UE antenna 232, a UE memory module 234, and a UE processor module 236, each module being coupled and interconnected with one another as necessary via a data communication bus 240.
  • the BS 202 communicates with the UE 204 via a communication channel 250, which can be any wireless channel or other medium suitable for transmission of data as described herein.
  • system 200 may further include any number of modules other than the modules shown in Figure 2.
  • modules other than the modules shown in Figure 2.
  • Those skilled in the art will understand that the various illustrative blocks, modules, circuits, and processing logic described in connection with the embodiments disclosed herein may be implemented in hardware, computer-readable software, firmware, or any practical combination thereof. To clearly illustrate this interchangeability and compatibility of hardware, firmware, and software, various illustrative components, blocks, modules, circuits, and steps are described generally in terms of their functionality. Whether such functionality is implemented as hardware, firmware, or software can depend upon the particular application and design constraints imposed on the overall system. Those familiar with the concepts described herein may implement such functionality in a suitable manner for each particular application, but such implementation decisions should not be interpreted as limiting the scope of the present disclosure
  • the UE transceiver 230 may be referred to herein as an “uplink” transceiver 230 that includes a radio frequency (RF) transmitter and a RF receiver each comprising circuitry that is coupled to the antenna 232.
  • a duplex switch (not shown) may alternatively couple the uplink transmitter or receiver to the uplink antenna in time duplex fashion.
  • the BS transceiver 210 may be referred to herein as a “downlink” transceiver 210 that includes a RF transmitter and a RF receiver each comprising circuity that is coupled to the antenna 212.
  • a downlink duplex switch may alternatively couple the downlink transmitter or receiver to the downlink antenna 212 in time duplex fashion.
  • the operations of the two transceiver modules 210 and 230 may be coordinated in time such that the uplink receiver circuitry is coupled to the uplink antenna 232 for reception of transmissions over the wireless transmission link 250 at the same time that the downlink transmitter is coupled to the downlink antenna 212. Conversely, the operations of the two transceivers 210 and 230 may be coordinated in time such that the downlink receiver is coupled to the downlink antenna 212 for reception of transmissions over the wireless transmission link 250 at the same time that the uplink transmitter is coupled to the uplink antenna 232. In some embodiments, there is close time synchronization with a minimal guard time between changes in duplex direction.
  • the UE transceiver 230 and the base station transceiver 210 are configured to communicate via the wireless data communication link 250, and cooperate with a suitably configured RF antenna arrangement 212/232 that can support a particular wireless communication protocol and modulation scheme.
  • the UE transceiver 210 and the base station transceiver 210 are configured to support industry standards such as the Long Term Evolution (LTE) and emerging 5G standards, and the like. It is understood, however, that the present disclosure is not necessarily limited in application to a particular standard and associated protocols. Rather, the UE transceiver 230 and the base station transceiver 210 may be configured to support alternate, or additional, wireless data communication protocols, including future standards or variations thereof.
  • LTE Long Term Evolution
  • 5G 5G
  • the BS 202 may be an evolved node B (eNB) , a serving eNB, a target eNB, a femto station, or a pico station, for example.
  • eNB evolved node B
  • the UE 204 may be embodied in various types of user devices such as a mobile phone, a smart phone, a personal digital assistant (PDA) , tablet, laptop computer, wearable computing device, etc.
  • PDA personal digital assistant
  • the processor modules 214 and 236 may be implemented, or realized, with a general purpose processor, a content addressable memory, a digital signal processor, an application specific integrated circuit, a field programmable gate array, any suitable programmable logic device, discrete gate or transistor logic, discrete hardware components, or any combination thereof, designed to perform the functions described herein.
  • a processor may be realized as a microprocessor, a controller, a microcontroller, a state machine, or the like.
  • a processor may also be implemented as a combination of computing devices, e.g., a combination of a digital signal processor and a microprocessor, a plurality of microprocessors, one or more microprocessors in conjunction with a digital signal processor core, or any other such configuration.
  • the steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in firmware, in a software module executed by processor modules 214 and 236, respectively, or in any practical combination thereof.
  • the memory modules 216 and 234 may be realized as RAM memory, flash memory, ROM memory, EPROM memory, EEPROM memory, registers, a hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.
  • memory modules 216 and 234 may be coupled to the processor modules 210 and 230, respectively, such that the processors modules 210 and 230 can read information from, and write information to, memory modules 216 and 234, respectively.
  • the memory modules 216 and 234 may also be integrated into their respective processor modules 210 and 230.
  • the memory modules 216 and 234 may each include a cache memory for storing temporary variables or other intermediate information during execution of instructions to be executed by processor modules 210 and 230, respectively.
  • Memory modules 216 and 234 may also each include non-volatile memory for storing instructions to be executed by the processor modules 210 and 230, respectively.
  • the network communication module 218 generally represents the hardware, software, firmware, processing logic, and/or other components of the base station 202 that enable bi-directional communication between base station transceiver 210 and other network components and communication nodes configured to communication with the base station 202.
  • network communication module 218 may be configured to support internet or WiMAX traffic.
  • network communication module 218 provides an 802.3 Ethernet interface such that base station transceiver 210 can communicate with a conventional Ethernet based computer network.
  • the network communication module 218 may include a physical interface for connection to the computer network (e.g., Mobile Switching Center (MSC) ) .
  • MSC Mobile Switching Center
  • the Open Systems Interconnection (OSI) Model (referred to herein as, “open system interconnection model” ) is a conceptual and logical layout that defines network communication used by systems (e.g., wireless communication device, wireless communication node) open to interconnection and communication with other systems.
  • the model is broken into seven subcomponents, or layers, each of which represents a conceptual collection of services provided to the layers above and below it.
  • the OSI Model also defines a logical network and effectively describes computer packet transfer by using different layer protocols.
  • the OSI Model may also be referred to as the seven-layer OSI Model or the seven-layer model.
  • a first layer may be a physical layer.
  • a second layer may be a Medium Access Control (MAC) layer.
  • MAC Medium Access Control
  • a third layer may be a Radio Link Control (RLC) layer.
  • a fourth layer may be a Packet Data Convergence Protocol (PDCP) layer.
  • PDCP Packet Data Convergence Protocol
  • a fifth layer may be a Radio Resource Control (RRC) layer.
  • a sixth layer may be a Non Access Stratum (NAS) layer or an Internet Protocol (IP) layer, and the seventh layer being the other layer.
  • NAS Non Access Stratum
  • IP Internet Protocol
  • a 3GPP system may be able to authorize a user equipment (UE) to access a 5G core network (5GC) via a 5G UE-to-network relay and to authorize a UE to perform as a UE-to-network relay.
  • UE user equipment
  • 5GC 5G core network
  • unauthorized entities may be able to access the 5GC via UE-to-network relay or act as UE-to-network relays. Therefore, introducing vulnerability and causing possible distributed denial-of-service (DDOS) attacks or leading to unauthorized service usage on both 5GS and UE-to-network Relay.
  • DDOS distributed denial-of-service
  • the remote UE may run a primary authentication with a remote authentication server function (AUSF) and a remote UDM.
  • the remote AUSF may obtain an authentication vector (AV) from the UDM to trigger the primary authentication.
  • This authentication may be performed between the remote AUSF and the remote UE via the relay access and mobility management function (AMF) and the relay UE.
  • the remote AUSF may not make the newly derived secret keys, K AUSF as the latest K AUSF .
  • the newly derived K AUSF may not be taken as latest K AUSF as a network access stratum (NAS) security mode command (SMC) procedure is not performed between remote UE and relay AMF.
  • NAS network access stratum
  • SMC security mode command
  • the UDM may utilize the network function repository function (NRF) to discover the AUSF instances unless the AUSF information is available by other means such as a AUSF ID (s) locally configured or stored on UDM.
  • the UDM may select an AUSF instance based on the available AUSF instance (s) obtained from the NRF or based on locally configured information, and information (e.g., AUSF ID, UE identity, or subscription permanent identifier (SUPI) ) stored (by the UDM) from a previously successful authentication.
  • NRF network function repository function
  • the UDM may store the remote AUSF instance ID, but the remote AUSF may not have the K AUSF for the remote UE. This can result in some service failure such as a UE parameter update (UPU) or steering of roaming (SOR) , which can entail the UDM to select an AUSF which stores the latest K AUSF .
  • UPU UE parameter update
  • SOR steering of roaming
  • FIG. 3 depicted is a block diagram of an architecture for accessing network via user equipment (UE) to network relay to authorize UEs.
  • a 5G direct discovery name management function (DDNMF) may be introduced into 5GC as a new network function.
  • 5G DDNMF may have similar functions from architecture point of view to the DDNMF part of proximity services (ProSe) Function.
  • FIG. 4 depicted is a block diagram of a process 400 of performing a security procedure over a control plane.
  • the remote UE 402 and relay UE 404 may be registered with the network (e.g., via a remote AMF 406) .
  • the UE-to-Network relay may be authenticated and authorized by the network to support as a relay UE 404.
  • Remote UE 402 may be authenticated and authorized by the network to act as a Remote UE 402.
  • the remote UE 402 may initiate discovery procedure using any of Model A or Model B method.
  • the Remote UE 402 may send a Direct Communication Request to the relay UE 404for establishing secure PC5 unicast link.
  • the Remote UE 402 may include its security capabilities and security policy in the dynamic channel reservation (DCR) message.
  • the message may also include a subscription concealed identifier (SUCI) , a Relay Service Code, and a Nonce_1.
  • the Relay UE 404 may send the relay key request to the relay AMF 408, including the parameters received in the DCR message.
  • the Relay AMF 408 may verify whether the relay UE 404is authorized to act as UE-to-network (U2N) relay.
  • the relay AMF 408 may select the remote AUSF 410 based on the SUCI and can forward the key request to the AUSF in a Nausf_UEAuthentication_Authenticate Request message.
  • the remote AUSF 410 may retrieve the Authentication Vectors (AVs) from the UDM 412 , and can trigger primary authentication of the remote UE 402 using existing procedure. This authentication may be performed between the remote AUSF 410 and the remote UE 402 via the relay AMF 408and relay UE. Remote AUSF 410 may not make the newly derived K AUSF as the latest K AUSF . At the remote UE 402, the newly derived K AUSF may not be taken as latest K AUSF as NAS SMC procedure is not performed between remote UE 402 and relay AMF.
  • AVs Authentication Vectors
  • the remote AUSF 410 and Remote UE 402 may generate a 5G proximity service remote user key (5GPRUK) and 5GPRUK ID a using the newly derived K AUSF .
  • the AUSF may generate the NR proximity services key (K NR_ProSe ) .
  • the remote AUSF 410 may send the 5GPRUK ID, K NR_ProSe , Nonce_2 in a Nausf_UEAuthentication_Authenticate Response message to the UE-to-Network relay via the relay AMF.
  • the relay AMF 408 may not attempt to trigger NAS SMC procedure with Remote UE 402.
  • Relay UE 404 derives PC5 session key K relay-sess and confidentiality and integrity keys from K NR_ProSe , using the key distribution function (KDF) .
  • K NR_ProSe ID and K relay-sess ID may be established in the same way as K NRP ID and K NRP-sess ID.
  • the UE-to-Network relay may send the received 5GPRUK ID, Nonce_2 to the remote UE 402 in Direct Security mode command message.
  • the remote UE 402 may use the 5GPRUK ID to locate the K AUSF /5GPRUK to be used for the PC5 link security.
  • the remote UE 402 may generate the K NR_ProSe key to be used for Remote access via the relay UE 404 in the same way as defined in step 436.
  • the remote UE 402 may derive PC5 session key K relay-sess and confidentiality and integrity keys from K NR_ProSe the same way as defined in step 440.
  • the remote UE 402 may send the Direct Security mode complete message to the UE-to-Network relay. Further communication between Remote UE 402 and Network may take place securely via the UE-to-Network relay.
  • the remote UE 502 and relay UE 504 may be registered with the network (e.g., via a remote AFM 506) .
  • the UE-to-Network relay may be authenticated and authorized by the network to provide support as a relay UE.
  • the remote UE 502 may be authenticated and authorized by the network to act as a Remote UE.
  • the remote UE 502 may initiate discovery procedure using any of Model A or Model B method.
  • the Remote UE 502 may send a Direct Communication Request to the relay UE 504 for establishing a secure PC5 unicast link.
  • the Remote UE 502 may include its security capabilities and security policy in the DCR message.
  • the message may also include a SUCI, Relay Service Code, and Nonce_1, among others.
  • the relay UE 504 may send the relay key request to the relay AMF 508 , including the parameters received in the DCR message.
  • the relay AMF 508 may verify whether the relay UE 504 is authorized to act as a U2N relay.
  • the relay AMF 508 may select a remote AUSF 510 based on SUCI and forward the key request to the remote AUSF 510 in a Nausf_UEAuthentication_Authenticate Request message.
  • the remote AUSF 510 may retrieve the Authentication Vectors (AV) from the UDM 512 by sending an AV get request message, such as a a Nudm_UEAuthentication_Get request.
  • This AV get request message may include the remote UE’s SUCI and a store indication parameter.
  • This store indication parameter may be used to indicate to the UDM 512 to not store the remote AUSF 510 related information (e.g., remote AUSF instance ID, and AVs) which is to trigger this primary authentication.
  • the store indication parameter may be a service code (Relay service code or some other service code) , a freshness parameter (random number) , a constant, and some default value, among others.
  • the UDM 512 sends a response to the remote AUSF 510 which includes the AVs.
  • UDM 512 should not store the related information about the remote AUSF 510 (e.g., AVs) .
  • the remote AUSF 510 may retrieve the Authentication Vectors from the UDM 512 and can trigger the primary authentication of the remote UE 502 using existing procedure. This authentication is performed between the remote AUSF 510 and the remote UE 502 via the relay AMF 508 and relay UE.
  • the remote AUSF 510 may not make the newly derived K AUSF as the latest K AUSF .
  • the newly derived K AUSF may not be taken as latest K AUSF as NAS SMC procedure is not performed between remote UE 502 and relay AMF 508 .
  • the relay AMF 508 does not run NAS SMC, based on (or in response to) certain information (e.g., in the relay service code) .
  • the remote AUSF 510 and Remote UE 502 may generate 5GPRUK and 5GPRUK ID using the newly derived K AUSF .
  • the remote AUSF 510 may generate the K NR_ProSe key.
  • the remote AUSF 510 may send the 5GPRUK ID, K NR_ProSe , Nonce_2 in Nausf_UEAuthentication_Authenticate Response message to the UE-to-Network relay via relay AMF 508.
  • the relay AMF 508 may not attempt to trigger NAS SMC procedure with remote UE 504.
  • the relay AMF 508 may delete information related to the remote UE.
  • the relay AMF 508 can send the 5GPRUK ID, K NR_ProSe , Nonce_2 in a relay key response to the relay UE.
  • Relay UE 504 may derive PC5 session key K relay-sess and confidentiality and integrity keys from K NR_ProSe , using the KDF .
  • K NR_ProSe ID and K relay-sess ID may be established in the same way as KNRP ID and K NRP-sess ID.
  • the UE-to-Network relay may send the received 5GPRUK ID, Nonce_2 to the Remote UE 502 in Direct Security mode command message.
  • the remote UE 502 may use the 5GPRUK ID to locate the K AUSF or 5GPRUK to be used for the PC5 link security.
  • Remote UE 502 may generate the KNR_ProSe key to be used for Remote access via the Relay UE 504 in the same way as defined in step 538.
  • the Remote UE 502 may derive PC5 session key K relay-sess and confidentiality and integrity keys from K NR_ProSe the same way as defined in step 542.
  • Remote UE 502 may send the Direct Security mode complete message to the UE-to-Network relay.
  • FIG. 6 depicted is a block diagram of a process 600 of authenticating remote user equipment (UE) . Further communication between the remote UE 602 and Network may place securely via the UE-to-Network relay.
  • a UDM 608 or authentication credential repository and processing function (ARPF) may generate the AV.
  • the UDM 608 may send a response including the AV, along with a SUPI, an authentication and key management for application (AKMA) , and a routing indicator, among others.
  • the AUSF may store an expected result (XRES*) .
  • the AUSF may generate a hash of the expected result (HXRES*) .
  • the AUSF 608 may send the result to a security anchor function (SEAF) 604. If the AUSF indicates that the authentication was successful from the home network point of view, then the AMF may initiate NAS security mode command procedure (with the UE, to take the newly generated partial native 5G NAS security context into use in steps 620–632. In some embodiments, the AMF may omit the initiation of the NAS SMC procedure.
  • SEAF security anchor function
  • the UE 702 may perform an authentication with an AUSF 706.
  • the UDM 708 may store the AUSF 706 instance which reported the successful authentication.
  • the UDM 708 may request the old AUSF 706 to clear the stale security parameters (KAUSF, steering of roaming (SOR) counter and UE parameter update counter) .
  • the information sent from the AUSF 706 to the UDM 708 that a successful or unsuccessful authentication of a subscriber has occurred may be used to link authentication confirmation to subsequent procedures.
  • the AUSF 706 may send the Nudm_UEAuthentication_ResultConfirmation service operation.
  • the AUSF 706 may use some message replace the step 710 to indicate UDM 708 not to store the AUSF 706 instance information.
  • a relay access and mobility function may send an authentication request to an authentication server function (AUSF) (805) .
  • the AUSF may receive the authentication request (810) .
  • the AUSF may send a request for authentication vectors (AV) to a unified data management (UDM) (815) .
  • the UDM may receive the request for AV from the AUSF (820) .
  • the UDM may send a response with AV to the AUSF (825) .
  • the AUSF may receive the response with the AV from the UDM (830) .
  • the AUSF may initiate authentication (835) .
  • the AUSF may provide a message with a key to the relay AMF (840) .
  • the relay AMF may receive the message with the key (845) .
  • a relay access and mobility function (e.g., the relay AMF 408 or 508) may provide, transmit, or otherwise send an authentication request to an authentication server function (AUSF) (e.g., the AUSF 410 or 510) (805) .
  • the authentication request may identify or include one or more of: an identifier of a remote wireless communication device (e.g., relay UE 104, 204, 402, or 502) , a subscription concealed identifier (SUCI) , a relay service code, a nonce, or a name of a network (e.g., serving network name) , among others.
  • the authentication request may be, for example, a Nausf_UEAuthentication_Authenticate Request message generated by the relay AMF in association with the remote wireless communication device seeking authorization to access a network (e.g., 5GC) .
  • the AUSF may retrieve, identify, or otherwise, receive the authentication request from the AMF (810) .
  • the AUSF may process or parse the authentication request to extract or identify the identifier of the remote wireless communication device, the SUCI, the relay service code, and the nonce, among others.
  • the AUSF may transmit, provide, or otherwise send a request for authentication vectors (AV) to a unified data management (UDM) (815) .
  • AV authentication vectors
  • UDM unified data management
  • the AUSF may generate the request for AVs.
  • the AVs may be used to authenticate the remote wireless communication device to access the network.
  • the request may be in association with the remote wireless communication device seeking authorization to access the network via a relay wireless communication device (e.g., UE 104, 204, or relay UE 404, or 504) .
  • the request may identify or include an indicator to indicate to the UDM to forego, refrain, or otherwise bypass storing information related to the AUSF.
  • the request may lack a specific indicator to indicate the UDM to bypass the storage of the information related to the AUSF.
  • the request may identify or include the SUCI to obtain the AV from the UDM, and to indicate to the UDM to not store the AUSF related information.
  • the information related to the AUSF may identify or include an identifier of the AUSF or one or more AVs, among others.
  • the indicator (included in the request) may identify or include one or more of: the identifier of the remote wireless communication device, the SUCI, a subscriber permanent SUPI, or the name of the network, among others.
  • the AUSF may include the name of the network into the indicator to provide to the UDM. Otherwise, when the name of the network is not provided by the remote AMF, the AUSF may refrain from including the name of the network in the indicator, and the indicator may lack the name of the network.
  • the AUSF may also use the name of the network in which the AUSF is located.
  • the indicator may identify or include one or more of a relay service code or other service code, a freshness parameter value, or a default or defined value (e.g., a constant value) .
  • the UDM may retrieve, identify, or otherwise receive the request for AV from the AUSF (820) . With receipt of the request, the UDM may process or parse the request for AV. In some embodiments, the received request may be in association with the remote wireless communication device seeking authorization to access the network via the relay wireless communication device. In some embodiments, from parsing, the UDM may extract or identify the indicator to indicate to the UDM to bypass the storing of the information related to the AUSF. In response to the receipt, the UDM may create or generate the AV for authenticating the remote wireless communication device to authenticate with the network.
  • the AV may identify or include one or more of: a random value (RAND) , an authentication token (AUTN) , expected value (XRES*) , and security key (e.g., KAUSF) , among others.
  • RAND random value
  • AUTN authentication token
  • XRES* expected value
  • KAUSF security key
  • the AV may be a part of the information related to the AUSF.
  • the UDM may forego, refrain, or otherwise bypass storing the information related to the AUSF, including the AV.
  • the UDM may transmit, provide, or otherwise send a response with AV to the AUSF (825) .
  • the response may identify or include the AV sent to the AUSF in response to the request for AV.
  • the provision of the response with the AV may cause the AUSF to initiate authentication.
  • the response may identify or include the information related to the AUSF.
  • the UDM may otherwise cause the AUSF to initiate authentication of the remote wireless communication device seeking authorize to access the network via the relay wireless communication device.
  • the UDM may provide the information related to the AUSF to trigger the AUSF to initiate the authentication.
  • the AUSF may retrieve, identify, or otherwise receive the response with the AV from the UDM (830) .
  • the AUSF may process or parse the response to extract or identify the AV.
  • the AUSF may commence, start, or otherwise initiate the authentication of the wireless communication device (835) .
  • the AUSF may initiate the authentication in response to receipt of the response including the AV (or the information related to the AUSF) from the UDM.
  • the authentication may be performed between the AUSF and the remote wireless communication device via the relay AMF and the relay wireless communication device (e.g., in accordance with processes 600 and 700) .
  • the AUSF may transmit, provide, or otherwise send a message to indicate to the UDM to bypass storing the information related to the AUSF.
  • the AUSF may have previously omitted the indicator in the request for the AV, and send the indicator subsequent to successful authentication of the remote wireless communication device.
  • the UDM may retrieve, identify, or otherwise receive the message indicating to the UDM to bypass the storing of the information related to the AUSF. Upon receipt, the UDM may refrain or bypass the storage of the information related to the AUSF at the UDM.
  • the AUSF may transmit, send, or otherwise provide an authentication response message with a key to the relay AMF (840) .
  • the AUSF may determine, create, or otherwise generate a proximity services key (e.g., K NR_ProSe key) after successful completion of the authentication. With the generation, the AUSF may transmit, provide, or otherwise send an authentication response message to the relay AMF to be sent to the relay wireless communication device.
  • the authentication response message may identify or include the proximity services key, among others.
  • the relay AMF may retrieve, identify, or otherwise receive the message with the key from the AUSF (845) .
  • the relay AMF may retrieve, identify, or otherwise receive the authentication response message from the AUSF.
  • the relay AMF may process or parse the authentication response message to extract or identify the proximity services key, among others.
  • the relay AMF may transmit, provide, or otherwise send a relay key response to the relay wireless communication device. The sending of the relay key response may be in response to the receipt of the authentication response message.
  • the relay AMF may delete or remove the information related to the remote wireless communication device.
  • the relay wireless communication device may remove, erase, or otherwise delete information related to the remote wireless communication device.
  • the information may identify or include a non-access stratum security context information, an AMF key, the identity of the remote wireless communication device, the SUCI, or the SUPI, among others.
  • the relay AMF may not commence, start, or otherwise initiate a network access stratum (NAS) security mode command (SMC) procedure with the remote wireless communication device.
  • NAS network access stratum
  • SMC security mode command
  • the refraining from the initiation of the NAS SMC procedure with the remote wireless communication device may be in response to receipt of the authentication response message.
  • the relay AMF may not initiate NAS SMC procedure based on information.
  • the information may identify or include a relay service code, the identity of the remote wireless communication device, or the SUCI, among others.
  • any reference to an element herein using a designation such as “first, ” “second, ” and so forth does not generally limit the quantity or order of those elements. Rather, these designations can be used herein as a convenient means of distinguishing between two or more elements or instances of an element. Thus, a reference to first and second elements does not mean that only two elements can be employed, or that the first element must precede the second element in some manner.
  • any of the various illustrative logical blocks, modules, processors, means, circuits, methods and functions described in connection with the aspects disclosed herein can be implemented by electronic hardware (e.g., a digital implementation, an analog implementation, or a combination of the two) , firmware, various forms of program or design code incorporating instructions (which can be referred to herein, for convenience, as “software” or a “software module) , or any combination of these techniques.
  • firmware e.g., a digital implementation, an analog implementation, or a combination of the two
  • firmware various forms of program or design code incorporating instructions
  • software or a “software module”
  • IC integrated circuit
  • DSP digital signal processor
  • ASIC application specific integrated circuit
  • FPGA field programmable gate array
  • the logical blocks, modules, and circuits can further include antennas and/or transceivers to communicate with various components within the network or within the device.
  • a general purpose processor can be a microprocessor, but in the alternative, the processor can be any conventional processor, controller, or state machine.
  • a processor can also be implemented as a combination of computing devices, e.g., a combination of a DSP and a microprocessor, a plurality of microprocessors, one or more microprocessors in conjunction with a DSP core, or any other suitable configuration to perform the functions described herein.
  • Computer-readable media includes both computer storage media and communication media including any medium that can be enabled to transfer a computer program or code from one place to another.
  • a storage media can be any available media that can be accessed by a computer.
  • such computer-readable media can include RAM, ROM, EEPROM, CD-ROM or other optical disk storage, magnetic disk storage or other magnetic storage devices, or any other medium that can be used to store desired program code in the form of instructions or data structures and that can be accessed by a computer.
  • module refers to software, firmware, hardware, and any combination of these elements for performing the associated functions described herein. Additionally, for purpose of discussion, the various modules are described as discrete modules; however, as would be apparent to one of ordinary skill in the art, two or more modules may be combined to form a single module that performs the associated functions according embodiments of the present solution.
  • memory or other storage may be employed in embodiments of the present solution.
  • memory or other storage may be employed in embodiments of the present solution.
  • any suitable distribution of functionality between different functional units, processing logic elements or domains may be used without detracting from the present solution.
  • functionality illustrated to be performed by separate processing logic elements, or controllers may be performed by the same processing logic element, or controller.
  • references to specific functional units are only references to a suitable means for providing the described functionality, rather than indicative of a strict logical or physical structure or organization.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Radio Relay Systems (AREA)

Abstract

L'invention concerne des systèmes, des procédés, des appareils ou des supports lisibles par ordinateur pour authentifier des dispositifs de communication sans fil à distance. Une fonction de serveur d'authentification (AUSF) peut envoyer, à une gestion de données unifiée (UDM), une demande de vecteurs d'authentification (AV) en association avec un dispositif de communication sans fil distant recherchant une autorisation d'accès à un réseau par l'intermédiaire d'un dispositif de communication sans fil relais. La demande peut comprendre un indicateur pour indiquer à l'UDM de contourner des informations de stockage relatives à l'AUSF. L'AUSF peut recevoir, en provenance de l'UDM, l'AV en réponse à la demande.
PCT/CN2022/075148 2022-01-30 2022-01-30 Sécurité de relais d'équipement utilisateur à réseau pour des services basés sur la proximité WO2023142097A1 (fr)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CA3236441A CA3236441A1 (fr) 2022-01-30 2022-01-30 Securite de relais d'equipement utilisateur a reseau pour des services bases sur la proximite
PCT/CN2022/075148 WO2023142097A1 (fr) 2022-01-30 2022-01-30 Sécurité de relais d'équipement utilisateur à réseau pour des services basés sur la proximité

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2022/075148 WO2023142097A1 (fr) 2022-01-30 2022-01-30 Sécurité de relais d'équipement utilisateur à réseau pour des services basés sur la proximité

Publications (1)

Publication Number Publication Date
WO2023142097A1 true WO2023142097A1 (fr) 2023-08-03

Family

ID=87470260

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2022/075148 WO2023142097A1 (fr) 2022-01-30 2022-01-30 Sécurité de relais d'équipement utilisateur à réseau pour des services basés sur la proximité

Country Status (2)

Country Link
CA (1) CA3236441A1 (fr)
WO (1) WO2023142097A1 (fr)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2009111734A (ja) * 2007-10-30 2009-05-21 Nippon Telegr & Teleph Corp <Ntt> 無線通信システム、及び、認証方法
CN102461233A (zh) * 2009-06-08 2012-05-16 高通股份有限公司 毫微微小区接入控制方法与装置
US20160088475A1 (en) * 2014-09-24 2016-03-24 Fortinet, Inc. Cache-based wireless client authentication
US20210143893A1 (en) * 2019-11-08 2021-05-13 Cisco Technology, Inc. Efficient operation of relay nodes in a citizen broadband radio service (cbrs) network

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2009111734A (ja) * 2007-10-30 2009-05-21 Nippon Telegr & Teleph Corp <Ntt> 無線通信システム、及び、認証方法
CN102461233A (zh) * 2009-06-08 2012-05-16 高通股份有限公司 毫微微小区接入控制方法与装置
US20160088475A1 (en) * 2014-09-24 2016-03-24 Fortinet, Inc. Cache-based wireless client authentication
US20210143893A1 (en) * 2019-11-08 2021-05-13 Cisco Technology, Inc. Efficient operation of relay nodes in a citizen broadband radio service (cbrs) network

Also Published As

Publication number Publication date
CA3236441A1 (fr) 2023-08-03

Similar Documents

Publication Publication Date Title
US11700131B2 (en) Authentication mechanism for 5G technologies
US11863982B2 (en) Subscriber identity privacy protection against fake base stations
WO2019183794A1 (fr) Protection de la confidentialité d&#39;une identité d&#39;abonné et gestion de clés de réseau
US20220337995A1 (en) Apparatus and method for providing subscription data to non-subscriber registered terminal in wireless communication system
US20100180111A1 (en) method of establishing fast security association for handover between heterogeneous radio access networks
CN113329407A (zh) 用户设备与演进分组核心之间的相互认证
KR20220024922A (ko) 네트워크 슬라이싱을 위한 인가 방법
CN113676904B (zh) 切片认证方法及装置
WO2022247812A1 (fr) Procédé d&#39;authentification, dispositif de communication et système
CN113727342A (zh) 网络注册的方法和装置
CN114600487A (zh) 身份认证方法及通信装置
WO2023011630A1 (fr) Procédé et appareil de vérification d&#39;autorisation
WO2023142097A1 (fr) Sécurité de relais d&#39;équipement utilisateur à réseau pour des services basés sur la proximité
WO2021195816A1 (fr) Procédé, appareil et système de communication
US20240236663A9 (en) Systems and methods for authorization of proximity based services
WO2022236543A1 (fr) Systèmes et procédés d&#39;autorisation de services basés sur la proximité
KR20240107106A (ko) 근접성 기반 서비스를 위한 사용자 장비-네트워크 간 릴레이 보안
CN115136663A (zh) 基于iab节点识别信息授权iab节点连接的系统和方法
WO2024067619A1 (fr) Procédé de communication et appareil de communication
US20230262642A1 (en) Wireless residential gateway and indoor base station
US20240040377A1 (en) Method and device for provision key for base station verification in wireless communication system
WO2022099579A1 (fr) Transmissions dans des réseaux non publics autonomes
WO2023213191A1 (fr) Procédé de protection de sécurité et appareil de communication
WO2022001964A1 (fr) Procédé de communication, dispositif de terminal et dispositif de réseau d&#39;accès radio
US20230336992A1 (en) Method and apparatus for authenticating user equipment in wireless communication system

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 22922926

Country of ref document: EP

Kind code of ref document: A1

WWE Wipo information: entry into national phase

Ref document number: 3236441

Country of ref document: CA

ENP Entry into the national phase

Ref document number: 2022922926

Country of ref document: EP

Effective date: 20240426